HP Warns Of IoT Security Risks

The Internet of Things, even as it ushers in a new era of comfort and automated convenience, may turn out to be a web of risk and exposure, according to HP's Fortify security software unit.

HP tested 10 popular devices likely to be included on the Internet of things and found 70% of them contained security exposures. On the average, each device contained 25 holes, or risks of compromising the home network. One example was lawn sprinkler controls. Another was a remote-controlled home thermostat.

Devices on the IoT typically communicate through the use of unencrypted data, sometimes via a WiFi network that's easily snooped. The devices are prone to cross-site scripting, where an active agent, input in the manner of legitimate user data, is picked up by a second device where it functions intrusively.

"Have you input your credit card information into your TV? That might not be an IoT best-practice," says Maria Bledsoe, senior manager of the Fortify unit, with a whiff of sarcasm creeping into the discussion.

The Internet of Things is expected to include 26 billion devices by 2020, according to Gartner. IoT product and service suppliers will generate revenues of $300 billion in 2020. But there may be some pitfalls on the way to device Nirvana.

Looking at 10 types of devices, HP's Fortify unit found 250 vulnerabilities. In addition to thermostats, TVs, and lawn sprinkler controllers, the devices included home webcams, door locks, garage door openers, scales, home alarms, hubs for multiple devices, and remote power outlets.

These days such devices often have a connection to an internal application provided by the manufacturer or third parties. HP didn't specifically name the devices inspected, but two popular networked thermostats are Nest Labs and Honeywell Lyric.

Of the devices, along with their cloud and mobile application components, 80% did not require passwords of sufficient complexity and length, according to the HP report, and 90% collected at least one piece of personal information.

Further, 70% of devices or their mobile and cloud components allowed an attacker to identify a valid account through account enumeration. For example, suppose an attacker knows the names of three household members and enters one of them in a login process. The device's response may tell him that the account name already exists and then request a password. The attacker could then enter another name and be told whether it was legitimate or not, without ever needing to submit a password, until he had a rough map of the accounts on the device.

Six out of the 10 devices did not use encryption when downloading software updates, an alarming number given that software powers the functionality of the tested devices. Some downloads could be intercepted, extracted, and mounted as a file system in Linux, where the code could be viewed and modified.

Some exposures were trivial, such as allowing "1234" as a password, Bledsoe told us. Others were more serious, with potentially graver consequences. Leading Bledsoe's list of more serious flaws: lack of transport encryption, since it leaves open the possibility of losing account names and passwords.

If devices are added to a corporate network the added exposure increases the attack surface, not just for IoT devices but for other computing devices on the network. Companies can protect themselves to some extent by demanding that device suppliers check their embedded software for exposures (and HP will gladly offer a service to help do this). Homeowners, however don't have that kind of clout. They can take the standard precautions, such as eliminating foolish default passwords like 1234, but they are not really in a position to insist that manufacturers verify that the embedded software contains no vulnerabilities.

"We need to sound a warning bell," says Bledsoe. Until devices have built-in security and transport encrypted data, the Internet of Things threatens to expand attack vectors and multiply vulnerabilities. There are few products, other than traditional anti-malware software for PCs, that can stand watch over connected devices functioning in the home.

Bledsoe concedes that little data will likely be stolen out of the lawn sprinkler controller. But if it's on the home network, she cautions, "It's a gateway into the home. You've basically left an open door."

And if you're been secretly watering your lawn at night during a drought emergency, then even the data on the sprinkler controller can land you in hot water if it ends up in the wrong hands.

Charles Babcock is an editor-at-large for InformationWeek and author of Management Strategies for the Cloud Revolution, a McGraw-Hill book. He is the former editor-in-chief of Digital News, former software editor of Computerworld and former technology editor of Interactive ... View Full Bio

If you are still using IoT then I guess you have yourself to blame because I am very sure that something bad is going to happen to you. This has been said like a million times and I just don't have better words to warn you. Thank you for this great article.

That's what's so frustrating! We can guarantee that IoT devices will be hackable, and we have the recent history of the Web to demonstrate that people can and will find vulnerabilities and create exploits, whether for the lulz, vandalism, or to commit crime. We know it's going to happen, and yet still we have to go through the whole stupid dance.

The first time someone gets hurt or ripped off by an IoT vuln and the manufacturer says "I had no idea!" I propose that the CEO has to have the words "I'm a jackass" tatooed to his or her head.

In the consumer industry, I'd say no one at this point because most of the outcomes of a hacked IoT device aren't that severe.The problem is, when security gets added on later once real problems arise, it means systems are less safe than if security had been built in from the start.

We might see more consumer-oriented action if the automotive industry gets deeply into IoT, i.e. as the car becomes more of a mobile hotspot and has apps that connect to third-party devices and systems, like reporting on your driving behavior to your insurance company, or ordering and paying in advance for a meal on at a turnpike rest stop. Once you add payments to the IoT mix, you get the security incentive.

However, I'd say medical device manufacturers and the healthcare industry have a significant stake in driving IoT security standards, if only for liability issues. Same for the use of IoT in industrial controls and manufacturing.

Software as a service is the clear No. 1 way enterprises consume cloud. InformationWeek's SaaS Innovation Survey reveals three tips to get the most from SaaS: Make it a popularity contest. Have an escape plan. And remember that identity is the new perimeter.